For Holiday Cheer, Keep Customer Data Safe
This is Greg Balestrieri’s first Christmas as the Candy Man and he’s doing everything he can to make it a good -- and safe -- one for customers of his online sweet shop, Candy.com.
Balestrieri and his cousin and co-owner Joe Melville opened Candy.com in July stocked with 6,000 types of candy from 500 sweets makers. Christmas goodies include gingerbread-shaped Peeps, a two-pound mint stick, and old-fashioned ribbons and sourballs like your Grandma used to keep in the living room candy dish.
To prep for Christmas, the eight-person Weymouth, Mass. company also stocked up on e-commerce security measures to keep customers safe while they shop, including the latest website encryption technology, multiple security seal programs, and payment options that don’t require customers to input a credit card number. “It’s all about conversion,” Balestrieri says. “When you have thousands of people coming to your site every day, if making one little change like putting a security logo on your checkout page makes a 1 percent difference in conversion rate a day that can make a huge impact on your bottom line over time.”
Like Candy.com, small online merchants are mimicking the security practices of bigger, more well-known e-tailers to give customers a little peace of mind along with their wares this holiday season.
It’s vital for small businesses to show they’ve got their customers’ best interests in mind because they don’t have the familiarity of big brand names to fall back on, says Robert Siciliano, a Boston Internet security consultant. “In this day and age, you should be screaming about how secure you are,” Siciliano says. “Consumers are overwhelmingly concerned about their personal security as it relates to fraud prevention and identity theft. If you can show them you’re a security-minded brand, they’re more likely to do business with you.”
Secure holiday shopping cheer
When planning their online store, one of the first things Balestrieri and Melville did was hire a website hosting company that met widely used PCI DSS standards for processing credit card payments, which include a number of mandatory security measures.
To keep customers saying “Ho, ho, ho” instead of “Oh, no, oh, no,” here are other measures electronic shopkeepers should take, according to security vendors and consultants:
Use EVSSL -- Extended validation secure socket layer, or EVSSL, is an upgrade to the existing SSL security standard that requires certification requests to go through a more rigorous identity check and authentication process. When a website’s got EVSSL its browser’s URL address bar turns green: on the left for Firefox, on the right for Internet Explorer or green text on white background on Mac Web browsers. Since its February 2007 introduction, EVSSL has been adopted by 18,000 sites, including big names such as eBay and Overstock.com, but predominately small merchants, says Tim Callan, vice president of product marketing at VeriSign, part of the consortium that created the process. Some companies opt for EVSSL coverage throughout their entire site, while others like Candy.com use it only for the checkout process.
Sign up for seal programs -- Small merchants can pay security agents to vet their websites to ensure they’re operating within set security precautions and get trust marks or seals to display if they pass. Charges for such programs vary; VeriSign’s is $995 a year per server. Other programs include TRUSTe, BBB and McAfee Secure. Some also display the date and time a site went through its most recent security check up. Experts suggest merchants prominently display trust marks, especially on checkout pages or other spots where they’re asking customers to fill out forms.
Offer multiple payment options -- For shoppers leery of giving credit card information to an online merchant they’ve never dealt with before, offering alternatives such as PayPal or Google Checkout is another way to gain their trust. Unlike larger merchants, small businesses don’t pay PayPal a monthly fee to maintain an account so it’s helpful and cheap, says Eddie Davis, the company’s director of small and mid-sized business service. However, merchants do pay PayPal a commission of 1.9 percent to 2.9 percent on each transaction. According to Davis, PayPal’s research has shown small merchants conversion rates go up 23 percent when they offer alternative payment methods. “We bring a lot of consumers who love using PayPal and they’ll seek out sites,” he says. Another option that security experts suggest is this: if you accept credit card payments, delete card information after a transaction, thereby eliminating any risk hackers could break in and steal it.
Show and tell -- It’s not enough to display security program logos or trust marks on your website. You need to create a page somewhere that explains in detail what precautions you take, Siciliano says. That goes against the grain at some major online merchants, who treat their security measures as a competitive advantage. By contrast, smaller merchants who promote their security programs can use it as a way to differentiate themselves from their like-sized competitors. “Partnering with those big companies helps us get closer to that point of being trusted,” Balestrieri says.
Keep customers in the loop -- If the name of your online store isn’t the same as your corporate name, include both on order confirmations or credit card receipts that get e-mailed to customers -- it’ll save them from refusing the charge because they don’t know where it came from. “You’re also showing them you’re conscious of their card activity, you’re concerned for the security of their card,” says Siciliano, the security consultant. Because Balistrieri’s company’s legal name is G&J Holdings LLC, both that name and Candy.com show up in the Web browser window when customers are checking out, and on receipts.
E-commerce security isn’t just about keeping customers safe. Merchants have to make sure they’re not getting defrauded either. That’s why security experts suggest small businesses use intrusion protection hardware and software, monitor credit card activity levels and keep credit card blacklists.
SIDEBAR: Safe Shopping Resources
Resources online retailers can use to find out more about e-commerce security include:
- PCI Security Standards Council -- The online home of the industry group that developed the PCI DSS security standard for credit card payments offers a variety of resources and information, including downloadable specifications.
- CA/Browser Forum -- This volunteer industry consortium creates guidelines used for issuing EVSSL certifications and provides updates related to the standard.
- The Number One Sign of Trust on the Internet -- Results of a May 2009 study from Synovate/GMI and commissioned by VeriSign about online shoppers’ security concerns.